Tag Archives: cryptocurrencies

The growing popularity of Bitcoin and other cryptocurrencies is generating curiosity—and concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by this software and what actions, if any, should be taken.

To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company’s Cloud IPS, and today released a list of crypto mining pool addresses that you can use as a blacklist in your firewall. (To download the list, visit this page.)

Cato Research Labs determined crypto mining represents a moderate threat to the organization. Immediate disruption of the organization infrastructure or loss of sensitive data is not likely to be a direct outcome of crypto mining.

However, there are significant risks of increased facility cost that must be addressed.

Understanding Blockchain and Crypto Mining

Crypto mining is the process of validating cryptocurrency transactions and adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult and resource-intensive becomes solving the hash to mine a new block.

Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming “mining pools” where collections of computers work together to calculate the hash.

The more compute resources contributed to the pool, the greater the chance of mining a new block and collecting the reward. It’s this search for more compute resources that have led some miners to exploit enterprise and cloud networks.

Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers in the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Figure 1: An example of a website running JavaScript-based mining software. Typically, websites do not ask for permission.

Native mining software will typically use long-lasting TCP connections, running Stratum over TCP; JavaScript-based software will usually rely on shorter-lived connections and run Stratum over HTTP/S.

The Risk Crypto Mining Poses to the Enterprise

Mining software poses a risk to the organization on two accounts. In all cases, mining software is highly compute-intensive, which can slow down an employee’s machine. Running CPUs with a “high-load” for an extended period of time will increase electricity costs and may also shorten the life of the processor or the battery within laptops.

Mining software is also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.

How To Protect Against Crypto Mining

Cato Research Labs recommends blocking crypto mining on your network. This can be done by disrupting the process of joining and communicating with the mining pool.

The deep packet inspection (DPI) engine in many firewalls can be used to detect and block Stratum over TCP. Alternatively, you can block the addresses and domains for joining public mining pools.

Approach 1: Blocking Unencrypted Stratum Sessions with DPI

DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum from operating across the network.

A subscription request to join a pool will have the following entities: id, method, and params (see Figure 3). Configure DPI rules to look for these parameters to block Stratum over unencrypted TCP.

{“id”: 1, “method”: “mining.subscribe”, “params”: []}

Three parameters are used in a subscription request message when joining a pool.

Approach 2: Blocking Public Mining Pool Addresses

However, some mining pools create secure, Stratum channels. This is particularly true for JavaScript-based applications that often run Stratum over HTTPS.

Detecting Stratum, in that case, will be difficult for DPI engines who do not decrypt TLS traffic at scale. (For the record, Cato IPS can decrypt TLS sessions at scale.) In those cases, organizations should block the IP addresses and domains that form the public blockchain pools.

To determine the IP addresses to block, look at the configuration information needed to join a mining pool. Mining software requires miners to fill in the following details:

Organizations could configure firewall rules to use a blacklist and block the relevant addresses. In theory, such a list should be easy to create as the necessary information is publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

Figure 4: Public addresses for mining pools are well advertised as demonstrated by mineXMR.com’s “Getting Started” page

Despite extensive research, though, Cato Research Labs could not find a reliable feed of mining pool addresses. Without such a list, collecting the target mining pool addresses for blocking would be time-consuming.

IT professionals would be forced to manually enter in public addresses, which will likely change or increase, requiring constant maintenance and updates.

Cato Research Labs Publishes List of Mining Pool Addresses

To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites and then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Cato researchers wrote code that leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) and should be suitable for most DPI rule engines. See here for the full list.

Final Thoughts

The combined risk of impairing devices, increasing costs, and botnet infections led Cato Research Labs to strongly recommend IT prevent and remove crypto mining from enterprise networks.

Should software-mining applications be found on the network, Cato Research Labs strongly recommends investigating active malware infections and cleaning those machines to reduce any risk to organization’s data.

Cato Research Labs provided a list of address that can be used towards that goal, blocking access to public blockchain pools. But there’s always a chance of new pools or addresses, which is why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.

With the vast amounts of people suddenly becoming millionaires, the chances of you not hearing about Bitcoin are almost nil. The success stories are all over the internet. Even the already rich rap-star 50 Cent added his name to the ever-growing list of Bitcoin millionaires. He claims that over the last few years he has been sitting on a “forgotten” fortune of 700 virtual coins that he made selling his album back in 2014. Is he a smart investor or a lucky guy? No one knows, but the truth is that he is now worth $7 million more than last year. Cheers, 50 Cent, this is what we call a flying start to the new year!

In 2017 Bitcoin managed to become so popular that it is an absolute rarity to live in the western world and not to have at least one friend or a relative who is somehow engaged in cryptocurrency trading. User-friendly virtual money exchanges such as Coinbase started gaining speed making the purchase of cryptocurrency as easy as requesting an Uber ride. People who wanted to invest no longer had to wire money to exchange sites but use a simple app to purchase some of the crypto-gold with a credit card. Last year was also the year that saw Bitcoin increase its value 20 times and become the 6th most valuable currency in the world.

While Bitcoin’s price kept surging, there were a ton of leading economists such as Jamie Dimon, chairman and CEO of JPMorgan Chase, and billionaire investor Warren Buffett, who said the crypto-world might be doomed. Jamie called it a fraud and Warren kept warning everyone that the craze over Bitcoin and other cryptocurrencies won’t end well. Even Jordan Belfort, also known as the real Wolf of Wall Street and the man who predicted the 2008 financial crisis, called Bitcoin a “huge danger.” Things are never perfect, Bitcoin lost half of its gains but still managed to close 2017 about ten times more valuable than it started it.

Love it or hate it, there is no doubt, 2017 was the year of Bitcoin! Over the last 13 months, Bitcoin has been a subject of enormous attention and is rapidly changing the landscape of the financial world boldly paving the way for other cryptocurrencies such as Ethereum, Ripple, Bitcoin Cash, Litecoin, Monero, and Zcash. While Bitcoin was the primary currency making the news, it’s contenders had a good year too as almost all of them registered even better growth percentages than Bitcoin.

What about 2018?

High volatility and the lack of understanding have been scaring many investors away from the crypto-world. While governments are trying to regulate the market, it still feels like it is the wild west. Exchanges have been prone to hacks, investors have been afraid to jump in due to the lack of regulations and regular folks have been avoiding the crypto-world because of the lack of non-user friendly crypto exchanges. However, things are changing – governments from all over the world are starting to realize that instead of fighting the new currencies, they can tax the transactions and get their piece of the pie. New and stricter laws are making Initial Coin Offerings more and more transparent and regulated, and in 2018 exchanges in the US will most likely be forced to report every account trading more than $20k to the IRS. Exchanges are continually trying to increase security, and there are user-friendly exchanges like Coinbase who are allowing everyday people to participate. Cryptocurrencies will continue to be part of our lives in 2018.

What is the future of cryptocurrencies?

In 2018 we will see more and more governments trying to regulate cryptocurrencies, we will witness the creations of more altcoins, and we will see how Bitcoin’s main competitors Ethereum; Monero; ZCash; and Ripple, try to take a shot at Bitcoin. The new 2018 may be the year that will see Bitcoin being taken down from its throne. This wouldn’t be a first for the tech world – Nokia’s Symbian was the primary modern mobile OS, but later it got overshadowed by better mobile operating systems such as Android and iOS. This might be the case with Bitcoin too. The time will show!

On the other hand, Bitcoin has been known as the gold of the cryptocurrencies. It may stick around, but it won’t be the game-changer technology that will transform the financial world. The cashier at Stater Brothers won’t be happy if you try to pay for the groceries with gold bullions – you will most likely be asked to use a credit card or cash instead. This is what is happening with Bitcoin. Stripe, one of the first firms to help users do financial transactions with Bitcoin, recently announced that they would be stopping the support of Bitcoin payments saying the fees are too high. And people do not blame them for their decision, Bitcoin transaction fees can easily reach amounts of $20+, while transactions with currencies such as Ethereum and Ripple only cost a few bucks.

While governments are desperately racing each other to find ways to regulate the decentralized virtual currencies, they are also exploring opportunities of creating their national cryptocurrencies too. So the next groundbreaking virtual money might have not even been invented yet. The masses are more likely to support a government-backed cryptocurrency than the ones associated with the dark web that we see now.

If you are thinking of entering the world of crypto, or you are already in, you have to bear in mind that it is an extremely risky investment and there is no insurance for your assets. Hackers are lurking around so securing your digital wallet should be a high priority. Always make sure you have antivirus software on all your devices. Having another layer of security can prevent cybercriminals from gaining access to your digital coins. It only takes seconds for hackers to send your virtual money away from your wallet, and once it leaves your digital portfolio, there is no way of getting it back. Be prepared!

Mining cryptocurrencies can be a costly investment as it takes a monstrous amount of computing power, and thus hackers have started using malware that steals computing resources of computers it hijacks to make lots of dollars in digital currency.

Security researchers at security firm ESET have spotted one such malware that infected hundreds of Windows web servers with a malicious cryptocurrency miner and helped cybercriminals made more than $63,000 worth of Monero (XMR) in just three months.

According to a report published by ESET today, cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers.

Although ESET’s investigation does not identify the attackers, it reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine ‘Monero,’ a Bitcoin-like cryptocurrency.

The vulnerability (CVE-2017-7269) exploited by the attackers was discovered in March 2017 by Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS version 6.0—the web server in Windows Server 2003 R2.

Therefore, hackers are only targeting unpatched machines running Windows Server 2003 to make them part of a botnet, which has already helped them made over $63,000 worth of Monero.

Since the vulnerability is on a web server, which is meant to be visible from the internet, it can be accessed and exploited by anyone. You can learn more about the vulnerability here.

The newly discovered malware mines Monero that has a total market valuation of about $1.4 billion, which is far behind Bitcoin in market capitalisation, but cybercriminals’ love for Monero is due to its focus on privacy.

Unlike Bitcoin, Monero offers untraceable transactions and is anonymous cryptocurrency in the world today.

Another reason of hackers favouring Monero is that it uses a proof-of-work algorithm called CryptoNight, which suits computer or server CPUs and GPUs, while Bitcoin mining requires specific mining hardware.

However, this is not the first time when analysts have spotted such malware mining Monero by stealing computing resources of compromised computers.

In mid-May, Proofpoint researcher Kafeine discovered cryptocurrency mining malware, called ‘Adylkuzz,’ which was using EternalBlue exploit—created by the NSA and dumped last month by the Shadow Brokers in April—to infect unpatched Windows systems to mine Monero.

A week before that, GuardiCore researchers discovered a new botnet malware, dubbed BondNet, that was also infecting Windows systems, with a combination of techniques, for primarily mining Monero.

One of the world’s largest Bitcoin and Ether cryptocurrencies exchanges Bithumb has recently been hacked, resulting in loss of more than $1 Million in cryptocurrencies after a number of its user accounts compromised.

Bithumb is South Korea’s largest cryptocurrency exchange with 20% of global ether trades, and roughly 10% of the global bitcoin trade is exchanged for South Korea’s currency, the Won.

Last week, a cyber attack on the cryptocurrency exchange giant resulted in a number of user accounts being compromised, and billions of South Korean Won were stolen from customers accounts.

Around 10 Million Won worth of bitcoins were allegedly stolen from a single victim’s account, according to the Kyunghyang Shinmun, a major local newspaper.

A survey of users who lost cryptocurrencies in the cyber attack reveals “it is estimated that hundreds of millions of won [worth of cryptocurrencies] have been withdrawn from accounts of one hundred investors. One member claims to have had 1.2 billion won stolen.“

However, Bithumb claims that this number represents approximately 3% of its customers.

The exchange also told Yonhap that it contacted South Korea’s cybercrime watchdog on June 30, Friday after it learned of the hack on June 29.

Bithumb believes that one of its employee’s home computer was hacked in the attack and not its entire network and no passwords were compromised, so it is impossible for hackers to gain direct access to user accounts.

The digital currency exchange says that the loss of funds is the result of using “disposable passwords” in order to carry out digital transactions online.

“The employee PC, not the head office server, was hacked. Personal information such as mobile phone and email address of some users were leaked,” Bithumb told the newspaper. “However, some customers were found to have been stolen from because of the disposable password used in electronic financial transactions.”

While more than 100 Bithumb customers have already filed a complaint with the National Police Agency’s cybercrime report center regarding the hack, South Korean officials are now investigating the incident.